diff options
| author | Gerald Combs <gerald@wireshark.org> | 2019-04-18 16:45:15 -0700 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2019-04-21 07:32:29 +0000 |
| commit | c9ca78fc2bb96923828a57c47f8840d7bb3bc1dc (patch) | |
| tree | 446ee3849319e3c535aae3859372ba49b74bb97b /packaging | |
| parent | 93b9388676a3dbfb3d079a9f4335c090b7b45b98 (diff) | |
macOS: Add a notarization script.
According to
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
notarization will be required in a future release of macOS. Add a script
for doing so. The process requires submitting our .dmg to Apple, waiting
for it to finish, and stapling a ticket to our .dmg.
Change-Id: I5b9c0c36cc2182fdd0baeada823aaacba7730a88
Reviewed-on: https://code.wireshark.org/review/32906
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'packaging')
| -rwxr-xr-x | packaging/macosx/notarize-dmg.sh | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/packaging/macosx/notarize-dmg.sh b/packaging/macosx/notarize-dmg.sh new file mode 100755 index 0000000000..75585b2387 --- /dev/null +++ b/packaging/macosx/notarize-dmg.sh @@ -0,0 +1,99 @@ +#!/bin/bash +# +# USAGE +# notarize-dmg -u <developer id> "/path/to/Wireshark x.y.z arch.dmg" + +# https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution +# https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow + +bundle_id="org.wireshark.dmg.$( printf "%x" $RANDOM )" + +# Parse command line arguments +while getopts u: OPTCHAR +do + case $OPTCHAR in + u) + username="$OPTARG" + shift 2 + ;; + *) + echo "Invalid command line option" + exit 2 ;; + esac +done + +dmg_file="$1" + +if [[ "$username" != *?@*? ]] ; then + echo "Username doesn't appear to be a valid Apple developer ID." + exit 1 +fi + +if [ ! -r "$dmg_file" ] ; then + echo "Can't find file: ${dmg_file:-No file specified}" + exit 1 +fi + +# XXX Set account to $username instead? +generic_pw_service="WS_DMG_NOTARIZE" + +if ! security find-generic-password -a "$username" -s "$generic_pw_service" > /dev/null 2>&1 ; then + echo -e "No keychain credentials found. You can add them by running\\n" + echo -e " security add-generic-password -a $username -s $generic_pw_service -T altool -w\\n" + exit 2 +fi + +echo -e "Notarizing $dmg_file\\n" +echo -e "SHA256 pre: $(shasum -a 256 "$dmg_file" | awk '{print $1}' )\\n" + +if ! altool_out=$( mktemp /tmp/notarize-dmg.out.XXXXX ) ; then + echo "Unable to create temp file" + exit 1 +fi +# trap 'rm -f "$altool_out"' EXIT + +xcrun altool \ + --notarize-app \ + --type osx \ + --username "$username" \ + --password "@keychain:${generic_pw_service}" \ + --primary-bundle-id "$bundle_id" \ + --file "$dmg_file" \ + 2>&1 | tee "$altool_out" + +request_uuid=$( awk '/^RequestUUID/ { print $3 }' < "$altool_out") +if [[ "$request_uuid" != *-*-*-*-* ]] ; then + echo "Unable to fetch request UUID" + exit 1 +fi + +eval_info_cmd=(xcrun altool \ + --eval-info "$request_uuid" \ + --user "$username" \ + --password "@keychain:${generic_pw_service}" \ + ) + +for try in {1..40} ; do + printf "\\nWaiting 15s \xe2\x80\xa6 " + sleep 15 + echo "done. Checking status ($try of 40)" + "${eval_info_cmd[@]}" 2>&1 | tee "$altool_out" + grep "Status: in progress" "$altool_out" > /dev/null 2>&1 || break +done + +staple_cmd=(xcrun stapler staple "$dmg_file") + +if ! grep "Status: success" "$altool_out" > /dev/null 2>&1 ; then + echo "Notarization failed or timed out:" + cat "$altool_out" + echo -e "\\nInfo command:" + echo "${eval_info_cmd[@]}" + echo -e "\\nStaple command:" + echo "${staple_cmd[@]}" + exit 1 +fi + +echo -e "\\nStapling $dmg_file" +"${staple_cmd[@]}" + +echo -e "\\nSHA256 post: $(shasum -a 256 "$dmg_file" | awk '{print $1}' )" |